The present invention relates to computer network security, and more particularly to the task of providing a user who is presently at a client machine outside the perimeter of a secure network with convenient, efficient, and secure access to data stored on a target server which is located within the secure network.
Distributed computing systems are becoming increasingly useful and prevalent. Distributed computers are now connected by local area networks, wide area networks, and networks of networks, such as the Internet. Many such networks are secured with a security perimeter which is defined by firewall software, routing limitations, encryption, virtual private networks, and/or other means. Machines within the security perimeter are given ready access to data stored in the secure network (possibly subject to user and group permissions, access control lists, and the like), while machines outside the perimeter are substantially or entirely denied access.
With the growth of such secure networks and their information content, there is an urgent need to support secure access by authorized users even when those users log in from a client machine outside the network security perimeter. A wide variety of tools and techniques relating to networks and/or security are known, at least individually and to at least some extent, including: computer network architectures including at least transport and session layers, sockets, clients, and servers; hyperlinks and uniform/universal resource locators (TVRLs); communications links such as Internet connections and LAN connections; proxy servers for HTTP and some other protocols; internetworking; Kerberos authentication; authentication through certificates exchanged during an SSL handshake; tying certificates to access control lists so that users are identified in certificates presented during the SSL handshake instead of being identified by an IP address, DNS name, or username and password; multiple instances of a server on the same machine in order to serve both insecure and secure documents; using a single password to log into an entire network rather than logging into individual servers; proxy servers as an example of servers which require user authentication; a secure sockets layer protocol manifestation in URLs, including protocol identifiers xe2x80x9chttp://xe2x80x9d and xe2x80x9chttps://xe2x80x9d; the use of a specific server port for network communication; various definitions of VPNs (virtual private networks); xe2x80x9croute filteringxe2x80x9d which controls route propagation; Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP); use of encryption technologies to provide the segmentation and virtualization required for VPN connectivity deployed in almost any layer of the protocol stack; transport or application layer VPNs; basic VPN requirements such as user authentication, address management, data encryption, key management, and multiprotocol support; tunneling by packet encapsulation, packet transmission, and packet unencapsulation; Lightweight Directory Access Protocol; a split proxy system for a protected computer network; translation between transport layer protocols; translation between IP and non-IP protocols; a proxy server within a network which receives a request for a protected Web resource from a browser outside the network and requires authentication of the browser to the proxy using some combination of a user ID and/or password; Novell/NetWare Directory Service (NDS) and user access controls; Windows NT Domain directory; Reverse Proxy/Virtual Hosting; a proxy server with HTTP caching; use of a proxy server by configuring client software to connect through the proxy server to prevent the client from being connected directly to the Internet; SSL encryption; an entry manager which serves as a single point of network entry for all users; a Trusted Sendmail Proxy, in the context of sensitivity labels and privileges, including a small, trusted program which acts as a communication path between an inside compartment that performs privileged internal operations and delivers local messages and an outside compartment that collects and send messages without privilege; a secured https proxy which apparently does SSL tunneling, logging, and reacting to events; software which apparently allows use of https URLs by way of an SSL connection with a program that wraps https calls to http; a protocol stream or content processor which knows how to convert something involving an URL into a proprietary content container which knows its content and that content""s type, for HTTP, HTTPS, FTP, gopher, and other protocols; redirection of HTTP requests in connection with an HTTP proxy; superuser privileges; and object rights and property rights which apply to properties of an NDS object, as well as distribution of directory information across the network through replication.
References which mention or discuss these and possibly other tools and techniques are identified and discussed relative to the present invention in a Petition for Special Examining Procedure filed concurrently with the present application. To the extent that the Petition describes the technical background of the invention as opposed to the invention itself, the text of the Petition is incorporated herein by this reference, This incorporation by reference does not imply that the claimed invention was previously known.
Although a wide variety of tools and techniques relating to networks and/or security are known, it has not previously been known how to combine them to provide clients outside a secure network perimeter with sufficiently convenient, efficient, and secure access to Web pages stored on servers within the secure network.
For example, some previous approaches require that the user""s name and/or password be sent across a network communications link in plain text. Other approaches use only a weak form of encryption, such as uuencoding, to protect the authentication information. In both cases, the authentication information is quite vulnerable to theft and misuse.
As another example, some previous approaches utilized strong encryption but required that special software be previously installed on both the client machine which is seeking access and on the server machine which holds the data sought by the client. Such approaches are taken by many virtual private networks, as well as by individual machines configured with public key/private key encryption software such as PGP software. These approaches protect user authentication information and/or the data which is transmitted after a user is authenticated, but they are not sufficiently convenient and efficient.
In particular, virtual private networks require significant administrative effort and vigilant attention to details in order to avoid problems arising from incorrect or inconsistent configurations. Moreover, widely used Web browsers such as those available from Netscape and Microsoft do not normally include full support for either virtual private networking or application-level encryption software such as PGP software.
Accordingly, it would be an advancement in the art to improve the tools and techniques that are available to provide a user who is presently at a client outside the perimeter of a secure network with convenient, efficient, and secure access to data stored on a server located within the secure network.
Such improvements to secure network access are disclosed and claimed herein.
In one embodiment, the present invention provides a distributed computing system which allows secure external access to a secure network such as a secure intranet. The system includes a target server within the secure network; a border server within the secure network; a client outside the secure network; a user authentication system located at least partially within the secure network; and a uniform resource locator transformer.
The border server is connectable to the target server by a first communications link, such as an intranet or Ethernet link. The client is connectable to the border server by a second communications link, such as a TCP/IP link. The client and the border server are configured to support secure sockets layer communication over the second communications link using SSL or.similar software.
The secure network is configured with authentication software and supporting data to allow direct access to the target server by a user only after the user is authenticated by the user authentication system. Typically, the user could readily log onto the network from an internal client at work, and the security questions addressed by the invention arise because the user wishes to log on through an external client at home or in the field rather than an internal one at work.
The uniform resource locator (URL) transformer modifies non-secure uniform resource locators in data being sent from the target server to the client by replacing them with corresponding secure URLs to promote continued use of secure sockets layer communication. The URL transformer is an xe2x80x9cSSL-izerxe2x80x9d. For instance, the URL transformer may replace instances of xe2x80x9chttpxe2x80x9d which refer to locations inside the secure network 100 by corresponding instances of xe2x80x9chttpsxe2x80x9d which refer to the same locations. The modifications to the data promote continued use of a secure connection such as an SSL connection. An URL transformer may be located on the border server, on the target server, or both. If the LURL transformer is located on the target server, the system may include tunneling software for tunneling secure data (which was transformed into secure form at the target server) between the client and the target server through the border server.
The border server and/or target server may include one or more data caches. For instance, in one configuration the border server has a cache that holds data from the target server which contains non-secure URLs, and the URL transformer introduces secure URLs on the fly without requiring that the transformed data also be cached on the border server. In another configuration, a border server cache includes a non-secure data cache for internal clients and a secure data cache for external clients. The non-secure data cache holds data that contains non-secure URLs, and the secure data cache holds data that does not contain any non-secure URLs. In yet another configuration, the border server cache is simply free of data that contains non-secure URLs.
In short, systems according to the invention use novel URL transformation and more familiar mechanisms such as HTTP redirection and SSL software (in novel ways) to provide secure authentication of a user from an external client and to provide secure transmission of confidential data between the target server and the external client.
By transforming non-secure URLs into secure URLs, the invention forces continued use of secure communications despite the inherent security problems caused by the lack of state information in HTTP. HTTP servers and browsers do not ordinarily xe2x80x9crememberxe2x80x9d security requirements from one Web page transmission to the next without some assistance. Accordingly, the present invention forces use of HTTPS or a similar secure connection each time the user follows an URL to confidential data. In addition, the invention provides security without requiring the installation of new client or target server software. Other features and advantages of the invention, and embodiments of the invention in methods, storage media, and signals, will all become more fully apparent through the following description.